CVE-2025-25069

Name of the Vulnerable Software and Affected Versions Apache Kvrocks versions 1.0 through 2.11.0

Description A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks did not detect if Host: or POST appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when chained with SSRF. This issue is similar to a previously identified vulnerability in Redis.

Recommendations For Apache Kvrocks versions 1.0 through 2.11.0, upgrade to version 2.11.1, which fixes the issue. As a temporary workaround, consider restricting access to the database operations that can be triggered by the vulnerability until the update is applied.